How to install the WiKID Enterprise RPMs

This document describes how to install the WiKID Strong Authentication Enterprise Edition using the RPMs.

Thank you for your interest in the WiKID Strong Authentication System for your two-factor authentication needs. We have made a number of changes in the 3.0 release, mostly in the underlying architecture. We are continuing to move away from an appliance-only model. As such, we have moved from multiple controller scripts (setup, start, stop, etc) to a single 'wikidctl' script that takes arguments start, stop, etc. We have packaged all webapps as WAR files and bundled Tomcat 5.5 with the server, so you should be able to drop the WARs into an existing servlet container.

Requirements

Postgresql, iptables
Java 1.6 JDK. Java 6 is required to use WiKID two-factor authentication with Google SAML/SSO.
We're currently recommending the OpenJDK over Sun's JDK.
If you do use Sun's JDK install: Java JCE Unlimited Strength Jurisdiction Policy files.
Testing was done on Redhat Enterprise Linux Version 5 and Centos5.

Hardware Requirements

8-16+ gigs of hard drive space.
1 gig of RAM (2 gigs if using replication)
2 Ethernet connections
Moderate CPU required
These hardware specs are for production. The server has been tested in a 256 meg RAM vmware image.

The package also likes to have a symlink to java in /opt, though the RPM will attempt to autocreate that link.

If you use Sun's jdk, create a symlink to keytool:

# ln -s /usr/java/latest/bin/keytool /usr/bin/keytool

And be sure to set JAVA_HOME:

# export JAVA_HOME=/usr/java/latest/

OpenJDK is a bit easier. You can install the OpenJDK via yum:

yum install java-1.6.0-openjdk

To install all the other needed software on one line:

yum install postgresql postgresql-libs postgresql-jdbc postgresql-server postgresql-pl compat-libstdc++-296 ntp system-config-date perl-libwww-perl

Make sure that postgresql is initialized:

service postgresql start

Make sure that alternatives has the correct Java:

/usr/sbin/alternatives --install /usr/bin/java java /usr/java/latest/bin/java 2

/usr/sbin/alternatives --config java

Test that the system is using the correct Java:

java -version

Install the WiKID RPMs.

rpm -ivh wikid-enterprise...

rpm -ivh wikid-utilities...

Then run setup:

/opt/WiKID/bin/wikidctl setup

Select that you want to change your network settings. The script will pick up your existing network settings, walk you through them and create an SSL cert for the server. Once done, start the server:

/opt/WiKID/bin/wikidctl start

Go to http:// to complete the set up.

To stop the server:

/opt/WiKID/bin/wikidctl stop

From here, you can follow the standard documentation, such as the new 3.0 Quickstart Guide
or the Complete installation manual.

One key difference, tomcat is now inside /opt/WiKID, so the example.jsp file is now: /opt/WiKID/tomcat/webapps/WiKIDAdmin/example.jsp. The domain identifier is now paramaterized too. You can change in on line 41.

Ports:

The WiKID token clients require port 80. You can use NAT, but it needs to be routable for the token clients.

The following services may only need internal access based on your needs:

The WiKIDAdmin uses 443.
wAuth uses 8388
LDAP uses 10389
TACACS+ uses 49

You can NAT the WiKID IP. Use the public IP as the domain identifier so that the software tokens know how to connect to the server.

Troubleshooting:

You may see some errors on running 'wikdctl setup':

dropdb: too many command-line arguments (first is "2>/dev/null")
Try "dropdb --help" for more information.
dropuser: too many command-line arguments (first is "2>/dev/null")
Try "dropuser --help" for more information.
dropuser: too many command-line arguments (first is "2>/dev/null")
Try "dropuser --help" for more information.
dropuser: too many command-line arguments (first is "2>/dev/null")
Try "dropuser --help" for more information.
dropuser: too many command-line arguments (first is "2>/dev/null")
Try "dropuser --help" for more information.
dropuser: too many command-line arguments (first is "2>/dev/null")
Try "dropuser --help" for more information.
dropuser: too many command-line arguments (first is "2>/dev/null")
Try "dropuser --help" for more information.
<clipped sql logs here>
/bin/cp: cannot create regular file `/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/jre//jre/lib/security/': No such file or directory
/bin/cp: target `/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/jre//jre/lib/security/' is not a directory
/bin/cp: cannot create regular file `/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/jre//jre/lib/ext/': No such file or directory
/bin/cp: cannot create regular file `/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/jre//jre/lib/ext/': No such file or directory

You can safely ignore these messages.  We apologize for the confusion.

You may need to install the JCE Unlimited Strength Jurisdiction Policy Files to avoid the "Illegal Key Size error".

If you can't login to the WiKIDAdmin site due to a bad username and password, there is probably an issue with database connectivity. Check that postgres is running on the proper port:

netstat -anp | grep 5432

Check that 127.0.0.1 is the first item in /etc/hosts and not the IPv6 ::1 listing.

Make sure that postgresql-jdbc is installed.

Disable SELinux.

Check that the pg_hba.conf file copied properly:

diff /opt/WiKID/conf/templates/pg_hba.conf  /var/lib/pgsql/data/pg_hba.conf

If you get any response to this command, you can copy the /opt/WiKID/conf/templates version to /var/lib/pgsql/data. However, this may indicate that the rpm did not fully install and you may want to reinstall

Personal tools

Sections

How to install the WiKID Enterprise RPMs

Requirements

Hardware Requirements

Troubleshooting: